NOTICE 


THIS DOCUMENT HAS BEEN REPRODUCED FROM 
MICROFICHE. ALTHOUGH IT IS RECOGNIZED THAT 
CERTAIN PORTIONS ARE ILLEGIBLE, IT IS BEING RELEASED 
IN THE INTEREST OF MAKING AVAILABLE AS MUCH 
INFORMATION AS POSSIBLE 



SUMC FAULT TOLERANT COMPUTER SYSTEM 
FINAL REPORT 
FOR 

CONTRACT NAS8-31747 


(MASA-CH-161581) SOHC FAULT TOLEHAHT H80-34111 

COMPUTER SYSTEM (NASA) 74 p HC A04/HF A01 

CSCL 09B 

Unclas 

G3/60 29013 


September 10, 1980 


£$ N0V1980 

RECEIVED. 
NAS&SIUMtBQ 
ACCEK CEE! 



SUMC Fault Tolerant Computer System 
Final Report 
for 

Contract NAS8-31747 


September 10, 1980 


Prepared For: 


The Marshall Space Flight Center 
Huntsville, Alabama 


INTRODUCTION 


Section 

1*0 

2.0 

2,1 

2.2 

2.3 

2.4 

2.5 


TRADE STUDIES 
Configurations 

Redundancy Management Unit (RMU) Concept 
Interfaces 

FTM Control Strategy 
Storage Address Expansion 


3.0 

3.1 

3.1.1 

3.1.2 

3.1.2. 1 

3.1. 2. 1.1 

3. 1.2. 1.2 

3. 1.2.1. 3 

3. 1.2. 2 

3. 1.2. 3 

3.1. 2. 4 

3. 1.2. 5 
3.1.3 
3a. 3.1 

3.1.3. 2 

3.1. 3.3 

3.1. 3. 4 

3.1. 3. 5 

3.2 

3.3 


IMPLEMENTATION 

Fault Tolerant Memory 

Storage Array 

Translator 

Parity Trees 

Check Bit Matrix 

Error Detection and Location 

Self-Testing 

Corrector 

Error Analysis 

Command and Status Registers 

Spare Assignment Register 

Error Correction Algorithms 

Error Location 

Address Tally 

Fault Tally 

Reconfigure 

Test/Copy /Correct 

FTM System Management 

Implementation of Address Extension 



ILLUSTRATIONS 


Figure 

% ' 

1181 

2-1 

Simplified SUHC-IIC 

2-2 

f-2 

Trade-Off Configurations 

2-4 

2-3 

Duel Port Configurations 1 and 2 

2-6 

2-4 

Dual Port Configuration 4 

2-7 

2-5 

Dual Port Configurations 5 and 6 

2-8 

2-6 

SUMC-IIC Configuration 

2-10 

2-7 

Cross-s trapping with no Single Failure Modes 

2-16 

2-8 

Staple Cross-strapping 

2-16 

2-9 

Extended Memory Segmenting 

2-23 

2-10 

Flow Diagram of the S/360 Effective Address 
Calculation 

2-25 

2-11 

SUMC-IIC Block Diagram 

2-27 

2-12 

Sectored Memory Implementation 

2-29 

2-13 

Double Precision EA Microprogram Hardware 

2-30 

2-14 

Data Path Extension 

2-31 

3-1 

Storage Array Organization 

3-2 

3-2 

Translator Functional Block Diagram 

3-3 

3-3 

Parity Check Matrix for 16 Data Bits 

3-5 

3-4 

Functional Parity Tree Representation 

3-7 

3-5 

Correction Decoder 

3-8 

3-6 

Error Analysis 

3-10 

3-7 

Command 'NO-OP' Command Structure 

3-14 

3-8 

Translator Error/Status Word 

3-15 

3-9 

Diagnose Repair Flow 

3-17 

3-10 

RMU Status Codes 

3-18 

3-11 

Form Fault Word 

3-20 

3-12 

Address Fault Tally 

3-22 


ii 


Figure Page 

3-13 Fault Tally Routine 3-23 

3-14 * Reconfigure Routine 3-26 

3-15 Teat/Copy /Correct Routine 3-27 

3-16 Multiple Error Correction Algorithm 3-28 

3-17 Extended Addressing - Data Path Extension 3-32 

Table 

2-1 Configuration Trade Data 2-9 

2- 2 Summary of Address Expansion Trades 2-32 

3- 1 FTM Diagnostic Execution 3-30 

3-2 Control Equations 3-35 


ill 


SUMO II C FINAL REPORT 


1.0 INTRODUCTION 


This report presents the results of the trede studies conducted on 
contrsct number NAS 8-31747. These trades cover: establishing the 
basic configuration, establishing the CPU/memory configuration, 
establishing an approach to crosstrapping interfaces, defining the 
requirements of the redundancy management unit (RMU), establishing a 
spare plane switching strategy for the fault-tolerant memory (FTM) , 
and identifying the most cost effective way of extending the memory 
addressing capability beyond the 64 K-bytes (K-1024) of SUMC-II B. 

The results of the design are compiled in Contract End Item (CEI) 
Specification for the NASA Standard Spacecraft Computer II (NSSC-II), 
IBM 7934507. The report also presents, in Section 3, the implemen- 
tation of the FTM and memory address expansion. The scope of the 
original contract was reduced so that the IOUs and RMU were not 
designed. 


1-1 


TRADE STUDIES 


2.0 

2.1 CONFIGURATIONS 

The first item requiring resolution In the SUMC-II C is the basic 
configuration. The objectives end constraints of the program ere 
listed below: 

o Provide flexibility to be able to meet varying levels of 
redundancy. 

o Make maximum use of hardware developed for the 
HTC/SUMC-XX B. 

o Use error correcting meocry techniques since they pro- 
vide the most reliability for the least amount of 
hardware duplication. 

o Use spare memory planes and a bit-plane organized 
memory. 

o Use a fault-tolerant redundancy management unit (RMU) 
to control the redundant elements of the system. 

Providing redundancy within the CPU or IOU would require develop- 
ment of completely new untis and would not represent a cost 
effective way of providing reliable systems. Configurations were 
limited to CPUs and IOUs as "stand alone" units. The CPU to 
memory interface is a significant part of the study. The Top 
Level system configuration is shown in Figure 2-1. Subsequent 


2-1 



FIGURE 2-1. SIMPLIFIED SUMC-IIC 


2-2 





sections of this report will develop this general concept into e 
working approach to the SUMC-I1 C. 

Over a period of time a number of candidate subsystems were defined 
for the CPU/aemory portion of the SUMC-II C. These configurations 
are shown in Figure 2-2 and are explained below: 

o Configuration 1 consists of two CPUs sharing a common 
fault tolerant memory built from existing Main Memory 
Unit (MMU) hardware. No attempt is made in this con- 
figuration to eliminate single point failures in the 
memory. A new design is required for the power supply 
and the dual port interfaces. 

o Configuration 2 consists of two CPUs sharing a common 
fault tolerant memory. This memory is an extensively 
redesigned MMU and contains no single point failures. 

A new redundant power supply would be required for this 
design. A new design would be required for the dual 
port Interfaces. 

o Configuration 3 consists of two CPUs, each having a fault 
tolerant MMU memory. The computers will be used in a 
redundant manner and no new design is required. 

o Configuration 4 consists of two CPUs, each having a 
dedicated memory except that the dual port interfaces 
are used to provide cross-strapping of _.~-nory write when 
both systems are powered on. Each computer supplies 
power to its dedicated memory and reads only from its 
memory. The cross-strapping is provided for rapid 


. 2-3 


CPU/ 


































Information transfer between memories during CPU switch- 
over. Thle a p p r oach requires s now design for the dual 
port lntarfacaa but no new power supply design. 

o Configuration 5 consists of two CPUs cross-strapped to 
two fault tolerant MHU memoriae. Both memories share a 
redundant power supply and r amain in a powered on state. 
Either CPU can read from either memory but always writes 
both. The dual port design is used for cross-strapping 
and tbs memory mad selection is delegated to the 
Redundancy Management Unit (RMU). A redundant power 
supply and interface designs are required for this 
configuration. 

o Configuration 6 is the same as configuration 5 except 
that each memory has its own power supply which can be 
powered up or down by the RMU to save power. A new 
power supply and new interface designs are required. 

All configurations use common designed Interface boards which can 
be populated/ depopulated and/or jumpered to fit each requirement. 
Figures 2-3 through 2-5 show the interfaces except for the clock 
switching circuitry. Two CPU Interfaces (CPA, CPB) and three 
memory interfaces (MPA, MPB, MPC) are shown. 

The trade data derived for the six configurations is suaurized in 
Table 2-1. Based on that data, configuration three ws selected. 
The slight Increase in reliability of six over that of three does 
not justify the major difference in development cost. The result- 
ant configuration is shown in Figure 2-6. 


2-5 




Figure 2-3. ftial Port Configurations 1 and 2 









Figure 2-4. Dual Port Configuration 4 








Figure 2-5. Dual Port Configurations 5 and 6 


Table 2-1. Configuration Trade Data 


§ 


in 


so 

ft CM 

■^so 

cn on a 
n ■ o s 

CM CM •* H O SB ►« 


nO 

NO 

CM CM 
'•.I'* 

m on a 

CO • o « 

CM CM m ft O Z {H 


a « 
w « 

H >4 CM SO 


* — 
O SI o 

* ►> CM ft 


St 


_ s> 
o w 
U 9 


►n 


.fit 

SO H 


* 




I 


6 S’ 

a. 

§* 
CO 


ftt 

o _ 

* a 

ft ft 

a a 




h 




a 

4J 



> 

B 1 

>N 

H 

o 

a 3 

»— 1 

NO 

,c a 

■O 60 B 

u 

CM On 

U *J 

fi ft 0 

X 

'-.no 

4j a 

3 44 rl 

60 

ft ON 

•H *B 

T) B 4J 

•H 

n . o o p 

o 9 a 

a o a 

H 

ft o z z z 

z cm cm ns 

K O h 

Cfl 


>N 

4J 


O cn 

m a 
a -H e 
» ft a 

3A€ 


« 

u 

o 

a c 
so 

ft iM 

a a 


co 







►> 







U 

u 





4J 

ft 

a 




so 

5 i 

ft 

> so 

CM 



B 

a 3 

4-1 

o s 

m 



■H 6 

a mb 

a 

X -rl 

CM H 



« so 

6 O 

a 

u « 

t r- 



a vt 

3 44 rl 

-C -H 

u a 

NO ON 



•h a 

a a <j 

60 ft 

•H -o 

CM . 

o o 

o c> 

x a 

a o a 

ft a 

9 a 

ft o 

Z Z 

z z o o 

w a 

ft U 14 

s « 

n s 


o> 

cm cm 

cm on 
''.NO 

ft on a 
m • o a 
CM CM cn ft O Z ft-t 


o o o o 

ZZHh 


T) 

s & 

•3 § 

o £ 


■SS 

a os 


u 

a 

9 

<2* 

9 & 
a a 

Z cn 


4J 

M 

O 

0t S 
SO 

ft *H 

a a 
3 a 
a a 


ON 

o 

cm r» 

"-.nO 0. 
ft oo 0< a 
cn . cm a 

CM cm cn ft o CM >4 


« 

a 

* 3 
a so 
B ft 
so a 


« 

a 
a 
. n 
3 


•rl a 
a a 


o o 
Z Z 


§> 


a 

^ . . a 

>N ft -3 

« H (2 (£ 

U 

a a u >, 
. . a » >» B ft 

a K otfH s 

Q a o 04 ft o a 

in h 04 3 
n a ft n-i eo 
h nh a x> a 

X 04 o u a >h m 

-h -H so a 
9 9 • arH d 9 

a a o tn a ■* o 

Z Z Z H ft V) ft 




44 4-1 

o o 



rH r-l 

o o 

(0 

<3 

03 

H M 


0) 

4J 4J 

a 

60 

B S 

> 

CO 

0 Q 

•H 

4J 

O CJ 

4J 

c 


a 

-H 

3 

> 

1 1 

as 

3 


a 

a 

so 


§ 

■6 

a 

a 

•h 

Q 


2-9 


*N0TE: Does not include Power Supply 



FIGURE 2-6. SUMC-IIC CONFIGURATION 







2.2 REDUNDANCY MANAGEMENT UNIT (RMU) CONCEPT 


Optimization of the RMU must be done at the 8ystem level and is, 
therefore, application dependent. Several major items which are 
application dependent are: the time allowed for system recovery, 

the need for a degraded mode of operation, the availability of 
program load capability, the degree of operator participation vs. 
automatic operation, the need for complex interface safing, the 
need for selecting from among multiple prime power sources, and the 
need to store recovery parameters for transferring control from one 
computer to another. 

Since mission success is dependent upon the operation of the RMU, 
it must be essentially failure proof. If the RMU performs many 
functions, then its simplex implementation requires significant 
amounts of hardware and it is both difficult and costly to achieve 
the required reliability. 

Effective management of system redundancy can involve many acti- 
vities. A list follows which represents candidate features which 
might be included in an RMU: 

o Comparators for checking the outputs of multiple com- 
puters. This could be required for instantaneous 
recovery or where the consequence of an undetected error 
is catastrophic. 

o Storage of present status parameters for assistance in 
restarting after a detected failure. 


2-11 


o Saflng all critical spacecraft functions which are under 
control of the computer. 

o Check "status" signals from the computer to assure thst 
all critical program segments were executed and in the 
correct sequence. 

o Gather status and send it to operator/monitor personnel 
in the spacecraft or on the ground. 

o Provide auxiliary storage for error and status logging, 
program reload, and diagnostic program storage. 

o Provide command facilities for remote (probably ground) 
personnel to override the automatic redundancy management 
features. 

o Provide an independent "Watchdog" timer to detect com- 
plete loss of computer operations or excessive time in 
completing a phase of operations. 

o Provide highly redundant (fail-safe) crosstrapping 
between/among redundant system elements. 

o Control application of power to each redundant element 
of the system. 

o Enable/Disable computer I/O. 

Since high level redundancy is required in the RMU to meet the 
necessary failure tolerance, even small amounts of functional 


hardware can hava significant Impacts, on power, weight, etc. There- 
fore, two precepts ore proposed for the design of the RMU: 

1) Don't include any function which can be performed 
outside the RMU. 

2) Make provisions for but don't include functions which are 
not required by all applications. 

Applying these rules to the candidate list gives the following 
results: 

o Accommodation should be made for the future addition of 
compartors but don't include them. 

o If required for rapid recovery on a specific mission, a 
few restart parameters might be included. A large number 
should be put in a system storage device and not included 
in the RMU. The basic RMU should not include restart 
storage. 

o By putting all I/O, into a predetermined state when 
system confidence has been lost, proper system design 
can insure the spacecraft to be safe at all times. 

o Status checking and proper program sequencing are 

important, however, they should be handled by software 
checking not the RMU. 

o General status collection should be done by the operating 
computer which can send it to the ground via telemetry if 
desired. 


2-13 



o Auxiliary storage should ba provided aa a system function 
not by the RMU. 

o The ability to use human intervention to override the RMU 
is desirable and should be provided both for test purposes 
and as a "last ditch" precaution. 

o A "watchdog timer" is an essential part of any RMU. 

o Cross trapping should only be provided in the RMU when 

required by the application and there is no other place 
for it. 

o The RMU should control power to each unit, although the 
power switches themselves need not be a part cl the RMU. 

o The RMU should have the ability to enable/disable outputs. 
Between the time that power is applied to a computer and 
the time the computer has initialized and performed self- 
test, the RMU should insure that all I/O is disabled. 

This results in a basic RMU which can be used "as-is" or can be 
expanded to suit special requirements. The basic RMU features are 
summarized below. 


BASIC RMU SUMMARY 


o Watchdog Timer 

o Ground Commanded Override of RMU 

o Power Control to all Units 


- 2-14 


o 


I/O Enable/Disabla Capability 


o Growth for Special Miss loot 
o Fail Safe Implementation 

To communicate with the EMU, the SUMC-II C CPU will use a dedicated 
line FLAG RMU which will' indicate that the output bus has data for 
the RMU. FLAG RMU la just a pulse so the RMU must store the data 
on the bus or react quickly to it. In addtion to an "IM OK" code, 
several codes are generated to signal operational status of the 
microprogram handling the FTM analysis and spare plane switching. 
This is explained more fully In Section 3.1.2. 


2.3 INTERFACES 

Crosstrapping and other redundancy considerations can Impact the 
design of unit-to-unit interfaces. If mission reliability or 
application design groundrules will not tolerate single point 
failures, the interfaces used must be carefully designed to pre- 
vent a short in one circuit or wire from dragging down an entire 
function and precluding operation of that functon. The interface 
shown in Figure 2-7 illustrates a design approach to eliminate 
all single point failures in a crosstrapped interface. 

The circuit of Figure 2-8 is much simpler than that of 2-7 
since all drivers and receivers are the ones which would normally 
be provided in a simplex unit if one precaution is taken in selec- 
tion of the three state driver. The driver must be selected 6uch 


2-15 


SN55 121 


SN55 142 



FIGURE 2-7. CROSS-STRAPPING WITH NO SINGLE FAILURE MODES 



FIGURE 2-8. SIMPLE CROSS-STRAPPING 




that la ita ?cv«red OFF atata its output goaa to tha high lapadanca 
(disabled) atata. 

Tha lapact on aystaaa r allability of tha fallura (In a ahortad nod a) 
of ona of tha lntarfacaa in Flgura 2-8 la nagllglbla. Howavar , 
tha problaa of iaplaaanting tha lntarfaca of Flgura 2-7 la signi- 
f leant. Thla study, therefore, recomanda tha uaa of tha alaplar 
lntarfaca alnca tha nora complex ona can ba added later for any 
application which requiraa It. 

2.4 FTM CONTROL STRATEGY 

Tha fault-tolerant memory aubayatem automatically corrects alngla 
bit arrora. Thla action la completely tranaparant to both tha 
computer uaer and the mlcroprograma. Tha FTM aubayatem does, how- 
ever, have control functions to control switching of spare memory 
planes and also to perform testing of the memory. The controls are 
a combination of hardware and microprogram. Tha strategy for 
switching spare planes can have a major impact on the reliability 
of tha unit, however, exact techniques for calculating the effect 
of switching strategy or reliability are not yet developed. 

To understand the significance of the switching strategies, it is 
necessary first to understand the types of failures, their Impact 
on operation, and their method of detection. 

o A "fault" is a hardware malfunction such that the 
equipment is not capable of doing everything it was 
designed to do, but it might not be causing any 
problem at the present time. Example, if a bit la 


unable to go to a 1 state but tha corraet currant valua 
is a saro, it isn't causi ng a problem; but it is still 
a fault. 

o An "error" is tha process of tha computer getting an 

iapropar result at the present time. Example, if a hit 
read from memory should be a 1 but it is being read as a 
0, that is an error. 

o A "random fault" in the FTM is one which affects a single 
bit in a single word in memory. 

o A "systematic fault” is either one which affects the same 
bit in many words or many bits in the same word. The 
system has been designed, however, to nearly eliminate 
the ability of a single fault in memory altering the 
value of more than one bit in a word. 

o An "address fault" is s fault which causes a valid word 
to be stored in and retrieved from the wrong storage 
location. 

o A "transient store" error is where a transient condition 
in the memory caused a word to be stored with a bad bit 
in it. However, there is no "hard" fault. 

Since the memory can correct single errors, there is not much con- 
cern about the existence of words in storage which will give- 
single (correctable) errors when they are read. The most signifi- 
cant problem with single errors is that they have the potential to 
become double errors which cannot be corrected by the translator 


2-18 


hardware. Random faults ara tha moot provable failure type in a 
•emiconductor memory and there la a low f . obability that two randoa 
failures will occur in tha saaa word. A aeaory containing n words 
has a probability of about .5 that there is a double failure after 
n failures. For n"8K that is about 90 failures and for n>64K it is 
about 256 failures. Therefore, randoa failures are predicted to be 
a problen only if a very large nuaber of thea have occurred. 

Three strategies will be considered for switching out bad hardware, 
to restore systea operation or reestablish a high level of redun- 
dancy. Each approach and its relative merits are discussed below. 

STRATEGY A 


Reconfigure the systwm to elialnate the failed bit-plane every time 
an error is encountered. 

Advantages : This is a staple concept which could be easily 

iapleaented in hardware without any modification of the current 
CPU/Meaory interface. 

Disadvantages : This strategy wastes spare plane usage on random 
errors which are amply taken care of by the basic correction code. 
Mien spare planes are needed for systeaatic faults , they will not 
be available. 

STRATEGY 8 


Reconfigure to switch out a bit-plane whenever it has been deter- 
ained, during normal operation, to contain a predetermined number 
of faults, or it is the one which has the most faults whenever a 
word containing a double error is encountered. 


2-19 


Ad v entases *. This strategy focuses on tht distinction between 

systematic faults and random faults, and would significantly anhanca 
ths long tans alas loo rallablllty. 

Disadvantages : Interruption of tha operational progran to log the 
location of errors during progran execution would have a significant 
lapact on conputer operation. There is »I*c> a risk that areas of 
the memory infrequently used because of nlsslon structure could 
accumulate aultlple errors la words which, when they are needed, 
cannot be practically reconstructed with the diagnostic decoding 
algorithms, thus impacting the mission. Sons memory performance 
capacity would necessarily have to be allocated tc the error log- 
ging operation, especially if errors occur in frequently us ad 
programs such as vehicle control loops. 

STRATEGY C 


Rely on the ECC capability during normal program execution, then 
revert to a test mode whenever a double error is encountered in a 
word, and at periodic Intervals. The test node would utilise the 
diagnostic decoding algorithms and properties of the error code 
to locate and log faults, verify that single errors signaled by 
the translator ere not triple errors, end provide the data for the 
reconfiguration decision. Reconfiguration would only be performed 
if a double fault or a systematic fault was detected. 

Advantages ; This strategy has minimum impact on the operating 
program yet it utilises the powerful diagnostic decoding techniques 
to effectively attain the full potentials of the bit-plane switch- 
ing capability. All memory locations would be tested frequently, 
thus airlmlzing the likelihood of accumulations of many errors in 
any word before detection of the errors. 


Z - 20 


PludmtttM i It is difficult to know how often to go into a self 
test node, however, this cm be programaer controlled rather then 
"built- in” to the system either in hardware or microcode. 

SELECTION * Strategy A clearly does not provide an effective use of 
the tremendous potential of the spare planes. Strategy B Bakes a 
aajor iaprovaaent in the effectiveness of the spare planes, but 
Strategy C Bakes several improvements over that of B. Since both 
B and C require a significant Mount of microprogram support, there 
seems to be little difference in the cost of implementation . 
Strategy C is selected. The microprogram to support the strategy 
is described in Section 3.1.2 and the FTM hardware la described in 
3.1.1. 


2.5 STORAGE ADDRESS EXPANSION 

The basic HTC computer calculates storage addresses using 16-blt 
arithmetic. Since the byte is the basic element addressed in the 
computer, this results in 2^*65,536 bytes maximum. Applications 
which require more storage than this must either menage the move- 
ment of data and program in and out of the computer or provide 
som means to expand meaory beyond 64 K bytes (K»1024). 

Memory expansion involves several facets: 

o Generating and holding addresses beyond 16 bits. 

o Decoding the most significant bits of the address to 
fora "page select" signals. 


2-21 


o Driving th« signals going to the additional memory. 

o Housing the additional memory. 

o Powering the additional memory. 

The first item was the primary subject of the study, whereas the 
other items were resolved during the implementation phase. 

Memory addressing is from three basic sources: operant addresses 

calculated within the CPU, next instruction addresses taken from 
the program counter, and storage addresses taken from a device 
over the direct memory address (DMA) interface. In the HTC all 
address paths, registers and calculations are 16 bits. If the 
memory is to be expanded beyond 64K bytes, the maximum memory 
size must be determined. Discussions with MSFC personnel identi- 
fied that most foreseeable requirements could be met with 18-bit 
addressing (256K bytes) and that 20-bit (1 M bytes) would certainly 
statisfy all requirements. 

The next primary issue is to establish the basic approach to the 
addressing of memory. Both aerospace and commercial computers 
have been successfully applied using a "sectored" memory where the 
CPU, I/O, etc. never has access to the full memory at one time. 

This approach usually involves one or more sector registers to hold 
the most significant part of the address while the CPU manipulates 
only the least significant part of the address. With sectored 
memory the most significant directly controllable address bit 
usually identifies whether the lowest sector or the "current" 
sector is being referenced. Sectoring is illustrated in Figure 
2-9 assuming the computer has a basic addressing capability of 


2-22 



2-23 





I 


16 bits. The 15 least significant bits (LSBs) identify which byte, 
of the 32K bytes in a sector, is being addressed. If the most 
significant address bit (MSB) is a zero, the lowest sector is 
implied. If the MSB is a one, the value stored in the sector 
register is used to identify the desired sector. Thus continued 
access is provided to the low sector of memory, and one other 32K- 
byte sector can be selected. 

The advantage of sectored addressing is that it minimizes the amount 
of special addressing hardware required. There are, however, some 
disadvantages with this approach to address; 

o The technique is not S/360 compatible. 

o Special instructions are required for loading and 
storing the sector values. 

o The programmer must be concerned with memory management 
as well as application programming. 

o If a program or data file resides in two different 

sectors, many changes in the sector register might be 
required. 

o The MOVE instruction cannot be used to move across 
sector boundaries except sector zero. 

If sectored addressing is not to be used, address computations must 
involve the full storage address (18 or 20 bits). Figure 2-10 
shows a symbolic flow chart of the S/360 address calculation. Pro- 
vision must be made to provide all the identified additions in 18 


2-24 



TO INSTRUCTION 
EXECUTION 


INSTRUCTION REGISTER 



32 3536 47 


* RX FORMAT ONLY 
** SS FORMAT ONLY 


NOTES: B AND X ARE THE NUMBERS 
OF THE BASE AND INDEX 
REGISTERS BUT (B) AND 
(X) ARE THEIR CONTENTS. 

P IS ANY CONVENIENT 
WORKING REGISTER. 


FIGURE 2-10. FLOW DIAGRAM OF THE S/360 EFFECTIVE ADDRESS CALCULATION 


2-25 




or 20 bit arithmetic. There are three approaches to providing 
18/20-bit addressing: 

o Use the HTC data path as-ls and use double precision 
calculations (two passes through the ALU) to get the 
addresses. 

o Expand the data path to 32 bits for greater arithmetic 
performance and get the extended addressing free in the 
process. 

o Extend the data path two or four bits for address calcu- 
lations only. 

The double precision microprogramming of the effective address 
calculation involves the least hardware but reduces machine per- 
formance by stretching execution of all but the register-to- 
register (RR) instructions. Going to a 32-bit data path is a 
major change in implementation, increases power and weight, and 
cannot be justified for the sole purpose of extending memory 
addressing. 

Regardless of the approach to address expansion, the following 
changes to the HTC must be implemented. See the HTC Block 
Diagram of Figure 2-11. 

o The program counter (PC) must be extended either as a 
counter (preferred) or with a sector register (poet 
design) . 


o The CPU's storage address register (SAR) must be expanded. 



Figure 2-11. SUMC-IIC Block Diagram 



















o The address multiplexer combining CPU and DMA addresses 
should be expanded. 

o The DMA address interface should be expanded, (if the DMA 
is to have full access to memory). 

o A path must be provided from the PC to the data flow 
(for store PSW) and to the SAR for I -FETCH. 

The implementation requirements of the various approaches to memory 
extension are illustrated in Figures 2-12, 2-13 and 2-14. In those 
illustrations, it can be seen that sectored memory provides minimum 
hardware impact but not significantly less than microprogrammed 
addressing. Figure 2-12 assumes the PC to remain at 16 bits and 
share the same sector register as the operants of the effective 
address calculation. Additional sector registers can be provided 
for separate sectoring of the program counter, second operant, and 
DMA. The additional hardware, however, does not seem warranted in 
an approach with such inherent limitations. 

Comparison of Figures 2-13 and 2-14 shows that providing and 
controlling 2-4 extra bits of ALU and General register is the signi- 
ficant difference between hardware and nicropogramming addressing. 

Table 2-2 shows a summary comparison between the three approaches. 
The 32-bit data path approach was eliminated because of the extreme 
impact both on production hardware (an extra slice) and on develop- 
ment cost . The extended calculation approaches are shown with four 
bits per flat pack. The sectored memory, however, is shown with 
extension to only 19-bits. The larger the memory the more problems 
encountered (with sectored memory) so 18-bit addressing (256K-bytes) 


2-28 


REGISTER 



FIGURE 2-12. SECTORED MEMORY IMPLEMENTATION 




















LATCHES 





FIGURE 2-13. DOUBLE PRECISION EA MICROPROGRAM HARDWARE 















MUX* U 1 CTRL* I CTRL* I MUX A 



FIGURE 2-14. DATA PATH EXTENSION 





















Table 2-2. Susaary of Address Expansion Trades 



2-32 


would probably not bo exceeded. Aloo 19-blts represents an 
officiant uaa of hardwara. Tha hardwara aatlaataa In tha table 
ara thoaa which wara believed at tha tine of tha trade etudy. 

The probleas associated with tha aanageaent of a aactorad neaory 
plua tha loaa of S/360 coopatibllity aakaa aactorad aaaory vary 
unattractive. Tha expanded ALU /DATA Path approach waa selected over 
the elcroprograaned approach to get a 10Z Increase in parfonutnee 
at the cost of a few flat packs. Section 3.2 of this report shows 
the lapleoantation of the address expansion. 


3.0 IMPLEMENTATION 


3.1 FAULT-TOLERANT MEMORY 

The Fault-Tolerant Memory (FTM) la a atoraga syatan which colarataa 
•ingle and multiple arrora within worda raad from memory. The FTM 
system la comprised of thraa major segments: Storage Array, 

Tranalator, and Error Correction Algorithms. 


3.1.1 Storage Array 

The storage array is composed of basic memory nodules (BMMs) which 
are haraetically sealed and each contains 8192 bits of K-chsnnel 
FET random access storage organised as an 81 x 1 bit array with on 
the chip address decoding. Each memory nodule is part of a bit 
plane. There are 16 bit planes corresponding to the 16 bits to be 
stored from the CPU, 6 check bit planes and 4 spare bit planes. A 
bit plane provldea one bit to the word read from storage. The bit 
plane organization ensures that any failure in a BMM trill affect at 
most one bit in any word read from storage. This feature signifl- 
cantly enhances the effectiveness of the error correction code. 

Any failure in a module can mutate only one bit in any given word 
stored. Figure 3-1 contrasts the storage array organization for 
64K simplex and Fault-tolerant machines. 


3.1.2 Translator 

Referring z* Figure 3-2, the Translator is functionally partitioned 
into six major data flow areas: a storage data remoter (SDR) which 


3-1 


16 DATA I I 16 DATA I I 16 DA 



Figure 3-1. STORAGE ARRAY ORGANIZATION 




















Storage Array 



3-3 









include* an input multiplexer, parity tree*, corrector, error 
analysis, command and statu* registers, and spare assignment 
register. The SDR is the major working register £or the translator. 
All data inputs to be stored from the CPU are read into the SDR and 
all data read from the storage array is read into the SDR. 

3. 1.2.1 Parity Trees 

Parity trees in the translator are used for four purposes: gene- 

rating check bits on store operations, checking byte parity bits on 
store operations, generating syndromes on read operations, and 
self-testing of translator circuits. 

3. 1.2. 1.1 Check Bit Matrix 

Referring to Figure 3-3, there are 16 data bit positions labeled 1 
through 16. There are six check bit columns labeled C1-C6. Each 
check bit is generated by parity trees to give odd parity over the 
field consisting of itself and eight associated data bits in the 
same row of the matrix. Thus, Cl could be generated as zero or one 
if data bits 1 through 8 had odd or even parity, respectively. 
Similarly, C2 would be generated to give odd parity over the field 
consisting of itself and data bits 6 through 13. It should be 
noted that each column of the parity check matrix consists of an 
odd number of l's. The data bit columns have three l's and the 
check bit columns have a single 1. This constitutes a Hamming 
code of odd-weight. 


3-4 


Bit Position. 


1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 Cl C2 C3 C4 C5 C6 

51 11111111 1 

52 11111111 1 

53 1111 11 11 1 

54 1 1 11 1111 1 

55 11111111 1 

56 11 111111 1 


Figure 3-3 Parity Check Hatrix for 16 Data Bits 


On store operations, the 16-bit word from the CPU is first stored 
in the SDR. The 16-bit word is then flushed through the parity 
trees to generate check bits which are also stored in the SDR. 
Subsequently, a 22-bit word is transmitted to the storage array (16 
data bits and 6 check bits). 


3. 1.2. 1.2 Error Detection and Location 


On read operations, each of six fields, consisting of eight data 
bits and an associated check bit, is checked for odd parity. The 
parity indication signals generated for these six 9-bit fields are 
called syndromes labeled SI - S6 in Figure 3-3. in the event that 
one or more syndromes indicate a discrepancy, an error is flagged. 
The pattern of the syndromes is analyzed to determine the type of 
error and, in the event of a single error, the syndrome pattern 
indicates, the position of the errant bit. 

Each data bit and each check bit has a unique pattern of l's in 
its column. Thus, if data bit 1 was in error, then syndromes 1, 

3, and 4 would indicate discrepancies. The combination of syn- 
dromes (1, 3, 4) uniquely identifies data bit 1 as the errant bit. 
In this way, the syndrome patterns are decoded to locate a single- 
bit error. 


3t5 


3. 1.2. 1.3 Self-Testing 


The construction of the parity trees used in the translator augnents 
the self-checking/self-testing properties of the translator. Figure 
3-4 illustrates the organisation for one of the three parity trees 
on a parity chip. There are nine input bits per tree and each tree 
is divided into a six-bit section and a three-bit section. There 
is a partial output for the six-bit section of the tree and another 
for the three-bit section. There is also a combined output which 
represents the parity over all nine input bits. The pair of 
partial outputs is called the "morphic" output of the parity net- 
work, while the combined output is the usual logical output. Since 
odd parity is being used, an error-free syndrome from the morphic 
output is indicated by an 01 or a 10 signal on read cycles. In the 
event of a fault within the parity tree network which results in an 
erroneous output, only one leg of the morphic output will be 
affected. Therefore, single gate failures in these circuits 
propagate to the output where they may be detected. Thus an odd 
parity input to a parity circuit, containing an error causing 
fault, will result in an 00 or 11 morphic output. Of course, an 
even parity input to a fault-free parity tree, will also cause 
the morphic output to be 00 or 11. 

3.1. 2. 2 Corrector 

The corrector consists of a correction decoder and exclusive OR gates 
which are in line with each of the 22 bits. Correction occurs as 
data is being transmitted to the CPU. Correction is complete 
before the CPU receives a read data ready indication. The syn- 
dromes generated by the parity trees are decoded into 22 bits. 

The correction decoder illustrated in Figure 3-5 consists func- 
tionally of 27 six-input AND gates which decode each of the 20 


3-6 


123456789 



Output Output Output 

Figure 3-4. FUNCTIONAL PARITY TREE REPRESENTATION 

combinations of six things taken three at a time, the six combina- 
tions of six things taken one at a time, and the single combination of 
none of six. The outputs from the decoder are wired to the 
appropriate SDR bit positions. All twenty of the three of six 
combinations are available on the chip; however, only the appropri- 
ate 16 are utilized for the sixteen data bit positions in the code 
chosen. The inputs to the decoder are the combined outputs of the 
six syndrome parity trees. 

The outputs of the correction decoder are then exclusively ORed bit-by-bit 
with the data as read from the storage array. Whenever the two inputs 
disagree, correction occurs. 


3. 1.2. 3 Error Analysis 

The error analysis portion of the translator is perhaps the most 
unique portion. It is implemented in morphic logic. The morphic 
logic uses dual line pairs to replace the single lines in conven- 
tional logic gates arranged as two independent tree structures so 


3-7 







that a fault of a single gate in the morphic logic propagates to 

the output where it can be detected. Circuits representing morphic 

invert, morphic AND, morphic OR, morphic exclusive-OR, etc., have 

been devised. Combinations of these morphic gates can be utilized 

to implement any logical function. The morphic logic equivalent of 

a conventional logic 1 is a 01 or a 10, [01], on the line pair. 

[ 10 ] 

The morphic logic equivalent of a conventional logic 0 is [00] on 

[ 11 ] 

on the morphic line pair. For explanation of the error analysis 

circuits for this translator, the nomenclature L, [01], and (L. 

^ [ 10 ] ^ 

[00] will be used. 

HI] 

The translator error analysis will be illustrated by explaining its 
operation for checking the word read from storage. The verifica- 
tion of byte parity checking and generation and check bit generation 

% 

will then be explained. 

The AND„ whose output is labeled A in Figure 3-6 has inputs from 
the morphic output of the syndrome generation parity trees SI - S6. 
Since odd parity is used in the encoding, on read-out all of the 
syndrome partial signals should be 1^ if no error has occurred. 

Thus, the output A should be 1^. Two parity trees are shown as 
the input B in Figure 3-6. There are an even number of syndromes 
(6). One each of the two morphic lines from each of the syndrome 
generators (the byte parity tree inputs are inhibited during read 
cycles) are inputs to the two parity trees whose outputs form B. 
Since the syndrome no error condition is lj^ and there are overall 
an even number of syndromes, there should be in total an even 
number of morphic (and logical) l's under a no-error condition. 


3-9 




i— I CM 

Pu pL. 


fH CM 

PLI 0. 


3-10 


Figure 3-6. ERROR ANALYSIS 


Sine* this is true, both parity trees ahould have like parity either 
odd or even since the sum of two odds or of two evens is even. The 
input B in Figure 3-6 should be 0^ under a no-error condition. The 


gate whose output is P indicates NO ERROR as 1^ when the A and 
B signals are nornal. 


The AND^ gate whose output is Q indicates a translator circuit 
failure condition. There is no valid condition of the inputs which 
causes outputs A and B to be 1^ simultaneously. This condition is 
indicative of a failure in the circuits which generate A or B. 
Therefore, the AND^ gate whose output is Q senses this condition 
as a circuit error. 


A single error is mainfest as an odd number of 0^ syndromes — one 
syndrome or three syndromes having a value of 0^. Under this con- 
dition, the output A will be a 0^ and the output B will be 1^. 

The output A is inverted to make it a 1 M and combined with the 
output B which will be 1^ to cause signal R to be 1^ — the single- 
error condition signal. 


The AND U gate whose output is S senses a double-error condition. 

The output A will be 0 U as will the output B in the presence of a 

ri 

double error in the word read from storage. Inversion of both 

these outputs makes them both l u and when combined in the AND U gate, 

n n 

whose output is S, indicates the double-error condition. 

The AND U whose output Is D indicates a circuit-error condition, 
n 

The input U is for byte parity circuit checks. The signal Q (men- 
tioned previously) is inverted because its normal (no error) 
indication is an 0 U . In order to maintain consistency, all inputs 
to the AND U should, under normal conditions, be L/s. 


3-11 


Therefor*, the signal Q Inverted i* during normal operation. The 
signal T is used for checking the validity of the generated check 
bits on write operations end the validity of the generated byte 
parity bits on read operations. It is proved that, with the code 
structure herein utilized, the parity of the byte parity bits end 
the parity of the code check bits should be the same; therefore, 
their combined parity should always be ?.ven. The signal T is the 
morphic output of a parity tree whose inputs are the two byte 
parity bits and the six combined outputs of the parity trees which 
generate the check bits. 

The two parity trees with T and R inpuns together with an inverter 
perform the logical operation T » R which is true when there is a 
valid single error condition and ao circuit failures. Certain 
circuit failures might be detects as e single data error without 
this check. 

A check is made to see that there is not an even number of the 
inputs P, R, and S in a 1^ state because P, R, and S are mutually 
exclusive conditions. Should none or two of these three signals 
be up, there will be an even number of logical l's which, dis- 
tributed between the two parity trees whose inputs are PRS, will 
make their output 0^. That is a failure indication causing the 
output D to be 0^. 

This discussion of the read cycle operation is intended to 
illustrate how the morphic logic is utilized to provide self- 
checking during norral operation. Since the normal data flow 
constantly changes, the translator circuits assume both states, 
which provides the self-testing property. 


3-12 


3. 1.2. 4 Command and Status Registers 


Microcode In tha NSSC-II is uaad to communicate with tha translator 
to support fault isolation and corr action. Each tins tha aicrocoda 
coonand NO-OP, is exacutad tha contants of tha SDR ara intarpretad 
as a coonand to tha translator and loadad into tha command ragistar. 
Thara ara four basic types of connands: spars assignment, mods 

changes, loading fake checkbit register, and reset storage address 
register (SAR) freese latch. The spare assignment coonand is used 
to load a spare assignment register which substitutes the spare 
assigned for the bit specified. Tha load fake checkbit is used when 
checkbits other than tha ones normally generated ara to be stored 
in memory in support of memory diagnostics. The SAR in the CPU is 
frozen when a double error occurs so the location may be inter- 
rogated and the failing bits identified. At the end of this 
interrogation, the latch prohibiting reloading of the SAR is reset 
with the reset SAR freeze latch command. Special modes of operation 
are required to execute the advanced microcoded storage diagnostics 
employed. These modes are specified to the translator by the mcle 
command. Figure 3-7 shows the command NO-OP structure and gives a 
brief definition of the various modes. 

The ststus register contains the Translator Error/Status word and 
is used by the diagnostic decoding algorithms to determine status 
after an FTM error interrupt and to support multiple error cor- 
rection. Definition of the Translator Error/Status Word is 
contained in Figure 3-8. 

3. 1.2. 5 Spare Assignment Register 

When the decision is made in microcode to substitute a faulted 
bit with a spare bit plane, one of four spare assignment registers 


0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 IS 


Load Spare Info 

1 Load Res 1-4 ! Spare Assignment j 0 



Load Mode Info { 

| Modes (See Below) | 0 

ID 


Load Fake Checkbits 

Fake Checkbits | 1 

3 


Reset SAR Freeze Latch | 

Ti 

3 


Bit Mod* 


Function 


6 Use Fake 
Checkbits 


Uses bits stored in Fake Checkblt register Instead of 
stored checkbits on read or generated checkbits on writes 


7 Inhibit Write 
Error Checks 


Inhibits checking for CPU parity errors or translator 
errors on write cycles 


8 Inhibit Correct 


Forces translator timing to not generate the correction 
clock used in test mode 


9 Inhibit Load Forces translator timing to not generate the SDR load 

pulse used in test mode 

10 Error Check SDR Causes read cycle to use data in CPU SDR rather than 

memory data, when used with bit 8; can error check 
generated word without using memory used in test mode; 
if used with bit 15, SDR will contain error status of 
word at end of cycle 


11 

Reconfigure Mode 

Force trai slator to read 
reconned only) and write 

from old bit plane (bit being 
TDR data to assigned bit plane 

12 

Test Mode 

Forces translator to use TOR rather than exclusive ORs 
for corrections and allows for additional control 

13 

Put Errors On 
Data Bus 

Data in bus will contain 

checkbits and error status 


Figure 3-7. COMMAND 'NO-OP' COMMAND STRUCTURE 


3-14 


Bit Meaning 

0 Mo error datactad during a read In tear mode. 

1 Single data error detected during a read in teat node. 

2 Double data error detected during a read in teat node. 

3 Tranalator error detected during teat node. 

4-9 Checkbita aa read from nemory. 

10 Tranalator or CPU parity error detected on write. 

11 Spare. 

12 Double data error during read in normal mode. 

13 Tranalator error during read in normal mode . 

14 Spare. 

15 Spare. 


Figure 3-8. TRANSLATOR ERROR/ STATUS WORD 


3-15 


la loaded with tha syndrome pat tarn of tha faultad bit. Thla ayn- 
drome pat tarn la subsequently dacoded and tha ldantification of tha 
faultad bit la provided aa Input to tha SDR. Tha SDR than awitchaa 
tha faultad bit plana out of tha data path and awitchaa tha apara 
bit plana into tha data path. 

3.1.3 Error Corraction Algor 1 that 

Several algorithms, Implemented In microcode, permit maximum 
utilization of the fault tolerant memory feature. A flow diagram 
of the microcode routlnaa containing theae algorithm* ia ahown in 
Figure 3-9. During program execution, tha FIN operataa under 
direct hardware control and correcta aingle errora aa they occur. 

If an uncorrectable memory error occur*, the microcode routine* 
depicted in Figure 3-9 are Invoked which analyze the error and 
take appropriate action* to reconfigure memory to eliminate the 
error. A* the routine* are executed, the FTM *y*tem provide* 
status report* to the outside world via the FLAG RMU control 
signal and a code word placed on the I/O channel output bus. The 
code words and their meaning are listed in Figure 3-10. 

3. 1.3.1 Error Location 

If a double read error is detected, the address of t.iat word is 
frozen by the memory interface hardware and the microprogram takes 
two actions: First, the READ is retried 64 times to determine 

that it was a hard failure. It any retry results in a correctable 
error, the normal program execution will be resumed. 

If the error was "hard", the microprogram initiates the second 
action of identifying the "stuck" locations lr. the word with the 


3-16 


Fault 

Tally 


Catastrophic 

Errors ^Transient 
Caused \ Error* 
CPU to Hang 



Addresses 
Show Up Here 


Error 

Location 


Check for 
and Tally 
Stuck Bits 


(Identify Plane] 
to be 

Reconfigured 


1 

or 1 

Check for 
and Tally 
Address Faults* 

i 

i 

Correct 
Transient 
Errors i 

Isolated 
r Write 

1 

1 

1 

Ident 

Havin; 

Add: 

ify Bit 
g Stuck 
ress 



I 


Address 

Fault 

Tally 


Reconf igure 
Copy and 
Test Correct* 


Triple Errors Appearing 
As Single Errors Will 
Be Improved 


Exit to 
Recovery* 


*Footprints Sent to 
RMU Along the Way 


Figure 3-9. DIAGNOSE REPAIR FLOW 


3-17 




I 


in 

CO I 
3 00 
H 

< CO 
I- H 

co — 
CO 

sc 

H— co 
U- < 

111 Q£ 
X < 
t- 111 
Q. 
CD Q. 
Ul < 
Q 

< X 

o o 

-1 _J 
UJ 
(O PQ 

< 


> 

HI 


< 

I- 


X 

Q 


















UJ 




CD 








111 






H 




z 


Q 




a 


1— 






co 




1— H 


Ul 




< 







1 

•— « 




tr 


0C 




Ul 


tr 





c_> 

_l 




3 


Ul 


a 


oc 




CO 



co 





Q 


1- 


ui 






z 



CO 

CO 


Ul 




z 

Q 

a: 


CD 


CD 

111 

o 




UJ 


Q 


CO 


UJ 

Ul 

Ul 


Z 


z 

cr 

*— • 

• 

>- 


CD 


O 


1- 



( X. 

i- 


*—• 


•— < 

3 

h— 

z 

Ul 

UJ 

o 


O 


_J 

Q 

> 

Ul 

z 


a: 


cr 

_l 

o 

O 

— 1 

X 

c_> 




3 

UJ 

Ul 

h- 

UJ 

1- 

3 


3 

•— * 

111 


_l 

1- 



CO 


< 

OC 

_l 

Z 


*— » 

(=5 

LU 

CQ 

< 

H- 

1— 

< 




3 


U_ 

Ul 

_l 

UJ 

1 — 

X 


CC 


LU 

LU 


1- 

\- 

- 


H 



H 

< 


o 

UJ 

QC 

3 

cr 


CD 

CD 


< 

Q£ 

• 

< 


Ul 

Z 

1— 

z 

Ul 


o 

-J 

O 

Z 


Z 

CD 

X 

Ul 

1- 

h* 

CT 

UJ 

UJ 


o 

o : 

g— 

cr 

—* 

tr 

o 

cr 

o 

z 

H- 

H 

3 

CO 

O 

cr 


1- 

*— « 

CT 

1 — 

tr 

< 

cr 

»— * 

o 

<_> 

1— * 


CO 

o 


cr 

X 

> 

_l 

1- 

o 

u_ 

UJ 

LU 

UJ 

1- 

cr 


cr 

=5 




cr 

1- 

Ul 

3 

< 

o 





< 

tr 


3 


CD 

Vi 


UJ 


_i 

< 

cr 

■"v 

_1 

DC 

z 

cr 

cr 

LU 

~CD 

CD 

t§ 

UJ 

3 



z 

_i 

LU 

3 

H- 

3 

O 

o 

O 

3 


z 



or 

CQ 


UJ 

< 

< 


CD 

CO 

1 

1- 

t— • 

H 

CD 

z 

< 

CO 

111 



_i 

X 

1— 

CO 


Ul 

J, 

< 

H* 

< 

►— t 

*— * 

**T— 

1- 

X 

O 

O 


0. 

l- 


CO 

u. 

1 — 

tr 

_l 

CJ 

_l 

U 



u 

H 


s. 


M 


l- 

Ul 

z 

s 

Ul 

CO 

Ul 

CO 

z 

cr 


3 


#— < 

» « 


1- 

UJ 

_i 

cr 

o 

> 

u 

z 

tr 

z 

o 

o 


< 

co 




_l 

Q£ 

3 

a 

o 

a. 

o 

< 

tr 

< 

u 

tr 

1 

LU 

X 

Ul 

Ul 


3 

. O 

< 

CD 

Ul 

O 

3 

DC 

o 

cr 

LU 

cr 

u_ 


tr 

X 

X 


g~ 

g" 

LU 

<c 

o c 

<_> 

CO 

1 — 

<_) 

1— 

car 

UJ 


u. 

o 

u. 

z 

1- 

H- 














< 

O 

z 

U. 














z 

tr 

« 


o 














►— < 

Ul 

CQ 

X 

1 





* 






* 

* 

* 

* 

* 

CO 





r— 1 


o 

o 

C3 

O 

o 

o 

o 

o 

o 

O 

1- 

3 

) 




o 


o 

o 

i — 1 

o 

o 

o 

o 

o 

<— i 

CD 

_l 


s= 




o 


1 — 1 

o 

o 

CD 

o 

t— H 

o 

o 

o 

O 

3 


GT 




o 

se 

o 

o 

o 

o 

o 

O 

' — 1 

o 

o 

O 

CO 

Ul 

ac 

II 

IS> 




o 


o 

r- C 

o 

o 

o 

o 

o 

o 

o 

O 


3 




o 

o 

o 

o 

o 

t— H 

o 

o 

o 

1 — 1 

o 

O 






o 

r— 1 

o 

o 

CD 

o 

o 

CD 

o 

o 

o 

O 


* 

LU 




o 

O 

o 

o 

O 

o 

o 

r— 1 

r— 1 

r— 1 

I — 1 

rH 

* 

* 


3-18 


FIGURE 3-10. RMU STATUS CODES 


routine called Form Fault Word which is flow charted in Figure 
3-11. 

o Read the data word without correction and place in 
temporary storage. 

o Read the check bits and place in temporary storage. 

o Store the bit-by-bit inversion of the data and check bits 
in the same storage location. 

o Reread the data and check bits and compare (exclusive 
OR) with the original data and check bits. 

o Zeros will identify the locations of any bits which are 
not able to be Inverted (stuck at 1 or 0) . 

o If two or more bits are stuck, the fault location data 
is stored and the microprogram proceeds to the fault 
tally segment. 

o If less than two bits are stuck, there is an addressing 
error or a transient WRITE error which caused the 
storage of a bad bit. 

o If less than two stuck bits were found, the analysis 
proceeds to find stuck addresses in the entire memory 
(ADDRESS TALLY). 


3-19 


Figure 



3-11. FORM FAULT WORD 


3-2i 


i 



3. 1.3.2 ADDRESS TALLY 


ADDRESS TALLY is Invoked because a double error condition exists 
and the fault word routine found less than two faults. This routine 
is flow charted in Figure 3-12. 

o Stuck addresses are found as follows: 

- Read word A and store it temporarily. 

- Read word B and store it (where the address of B is 
different from A by a single bit). 

- Complement A and store it in B. 

- Check to see if A changed. If so one bit of B is 
being stored in A. 

o Each stuck address which is found is tallied for sub- 
sequent reconfiguration. 

o If there was a transient WRITE problem, it will be 

corrected during the final microprogram segment which 
is TEST/CORRECT. 

3. 1.3. 3 FAULT TALLY 

FAULT TALLY is invoked because the fault word routine found two or 
more faults at the error location. This routine is flow charted in 
Figure 3-13. The FAULT TALLY routine checks the entire memory 
for "stuck at" faults and tallies them by bit number. At the 


3-21 



Figure 3-12. ADDRESS FAULT TALLY 







Figure 3-13. FAULT TALLY ROUTINE 


3-23 


conclusion of this routine the counts for esch bit locstion sre 
evaluated and a reconfiguration decision is made. The decision 
logic is as follows: 

o If a double error caused the diagnostics to be run, a 
plane will be substituted in the RECONFIGURE routine as 
follows: 

- If ERROR LOCATION found two or more stuck at bits 
the one substituted will be the one with the largest 
number of faults detected by FAULT TALLY. 

- If there was only one stuck at fault and an 
addressing fault the address fault will be sub- 
stituted. 

If there was one stuck bit and a transient WRITE 
the stuck bit will be substituted. 

o If the analysis microprogram entered via diagnose 

instruction, the only reason for a plane substitution 
is if the tally of one or more bits excesded the thres- 
hold of 512 faults. Since each chip contains 2048 bits 
this threshold seems reasonable for a systematic fault. 

A different threshold can be substituted by burning-in 
a different value in the microprogram memory. 

The tally operation is essentially the same as the fault location 
operation, as it looks for stuck bits by the READ/ INVERT/ STORE/ 
READ/COMPARE sequence. This tally operation can be performed on 
the entire memory at one time or can be broken into segments. 


3-24 


3. 1.3. 4 RECONFIGURE 


The RECONFIGURE routine Is the short microprogram sequence vhlch 
"tells" the translator which spare plane number should be sub- 
stituted for which data or check bit. If the bad bit plane is a 
spare bit plane, it must be unassigned to permit the new spare bit 
plane to be effective. This routine is flow charted in Figure 3-14. 


3. 1.3. 5 TEST/COPY/CORRECT 

The TEST/COPY/CORRECT routine has two functions: copy the informa- 

tion from the old plane to the new plane and correct all possible 
errors. This routine works with each location in memory in 
sequential order reading from the old plane and writing to the new 
plane. This routine is flow charted in Figure 3-15. 

Each time a READ operation results in any error, a special correc- 
tion routine is used to correct the data. This proprietary routine 
is so constructed that it can form the correct word for all single, 
double, and triple "stuck at" type faults and one "soft-error" in 
combination with zero, one, or two "stuck at" type faults. This 
routine is flow charted in Figure 3-16. 


3.2 FTM SYSTEM MANAGEMENT 

The previous sections presented the implementation of the Fault 
Tolerant Memory hardware and microcode. The benefits derived from 
this system Implementation are: (1) the capability to recover from 

permanent and transient type memory errors, (2) extending the 




Tally for 1st 
Error Bit 



Figure 3-14. RECONFIGURE ROUTINE 



Get Reconfigure 
Code for Bit 
with Greatest 
No. of Errors 


Reconfigure 1st 
Available Spare 
Bit Set Spare 
Bit Used Ind 


( Exit ^ 


3-26 










Figure 3-15. TEST/COPY/CORRECT ROUTINE 


3-27 







G“E) 



Figure 3-16. MULTIPLE ERROR CORRECTION ALGORITHM 


3-?8 


usable life of the storage array, and (3) anhancing eba overall reliability 
of the SUMC-I1C computer. Associated with this benefit is the recurring 
coat of tine. Whenever a double error occurs, the microcode algorithms 
which locate the error, reconfigure memory and correct data errors, take 
the CPU "off-line" for the duration of time that it takes to execute the 
algorithms. Table 3-1 lists the execution time for each of the microcode 
routinaa previously discussed. As per the example presented in Table 3-1, 

1 double faulted location in a 64K memory size machine would take the CPU 
"off-line" for 687 a sec. It is conceivable that at certain "mission 
critical" periods of time, 687 m sec of "off-time" would be intolerable. 

The risk of this occurring cannot be completely eliminated, but it can be 
greatly reduced by managing the tools which the FTM system provides. 

The management concept is this: on a periodic basis during non-crltlcal 

mission phases, enter via the DIAGNOSE instruction the Fault Tally and 
Address Fault Tally microcode routines. This provides the advantages of 
(1) the flight programmer selects the time periods for fault location and 
correction and (2) greatly minimizing the probability of a double error 
occurrence. To prevent the occurrence of the accumulation of "soft errors ," 
the flight program should, on a periodic basic, read and rewrite all memory 
locations. This could be done in Increments of IK or 4K or 16K bytes. 

This will further minimize the probability of a double error occurrence. 

The disadvantage of this concept is the increased software overhead but, 
when weighed against a 687 m sec. "off-line" time during "mission critical" 
phases, it seems reasonable to conclude that the FTM management concept 
should be Included as a part of the flight software. 


3-29 


Tabic 3-1 


FTM DIAGNOSTIC EXECUTION 


DIAGNOSTIC 

A. Fault Tally 

B. Address Fault Tali'* 

C. Reconfigure 

D. Copy/Test/Correct 

E. Multiple Error Overhead 


mcm i l TIME 

62 yeec + 19 ysec/ (halfword location) 
253 ysec /4K block 
7 ysec 

5 ysec/halfword location + 62 usee/ 
halfword location if correction needed) 

390 usee 


TOTAL EXECUTION TIME FOR 64K MACHINE WITH 1 DOUBLE FAULTED LOCATION 


(A) 522654 yeec + (C) 7 ysec + (D) 164S02 ysec + (E) 390 usee - 687 m sec 
3.3 IMPLEMENTATION OF ADDRFjS EXTENSION 

Expanding the ALU and appropriate data paths ard registers was 
selected as the approach to address expansion for the SUMC-IIC. 

This provides the addition of 20 bit numbers when address calcu- 
lations are being done as a part of the effective address 
walculation (EA Calc) . 

The EA Calculation is: E A ■ D + (B) + (X) where D is the 12 bit 

displacement from the Instruction register, (B) is the contents of 
one of the general registers (now 20 bits) and (X) is the contents 


3-30 



of one of the general registers (20 bi.ts). This addition is per- 
formed by calculating an interim number XNTR ■ D + (B) then getting 
the final EA-INTR + (X) . 

Performing the 20-bit arithmetic for either INTR or EA requires 
simultaneous access to 20 bits of the SPM (where the general 
registers are implemented) and a 20 bit wide ALU for adding posi- 
tive integers. Since the D is a positive integer, only the 
extended part of the ALU does not have to propagate any negative 
signs from the lower part of the ALU. 

Figure 3-17 shows the parts of the SUMC-IIC block diagram which 
are affected by the expanded addressing. The salient features of 
this hardware are discussed below: 

o A four bit extension to the PC was added to accommodate 
the 20-bit addressing. 

o The extension to the PC can be loaded from the extended 
ALU for branch instructions the same as the regular 
part of the PC can be loaded from the PRM. 

o The PC extension also goes through a new four bit MUX 
into the SAR extended for instruction fetching. 

The PC extension can be read into the data path (MQM) 
through a new four bit MUX. Tills is used for BAL and 
store PSW type operations. 

o The address MUX was expanded to handle the 20 bit address 
both from the SAR and from DMA. 


3-31 



XPC * PC K XSAR * SAR 
























0 


The address decode logic was expanded to provide six page 
select signals, for up to 96K bvtes in the prime CPU box, 
and the full address is available to be sent to an exter- 
nal memory unit so that page selects can also be generated 
externally. 

o The storage protect registers (not shown) were expanded to 
1024 X 2 to accommodate the 1024 segments of 1024 bytes 
each associated with the 20 bit address capability. 

o Manipulation of SPM for 20 bit arithmetic is not as 

straight forward as the items just mentioned and it is 
described in the immediately following paragraphs. 

To form the intermediate sum INTR = D + (B) in the extended ALU, 
the most significant four bits (MSB) of the base address, B must 
be added to the zeros which represent the MSBs of the 12-bit D 
field. This poses a problem, however, since the 32 bit general 
register holding the 20 bit base value is located in two separate 
16-bit locations in the SPM. Two SPM locations cannot be read at 
the same time so a portion of the SPM is duplicated. Therefore, 
when the SPM is reading the least significant 16 bits of a general 
register, the SPM extension must be reading what amounts to the 
least significant four bits of the most significant half of the 
general register. Thus the 20 bit base address (or index regis- 
ter) is made available simultaneously t r the ALU and extended ALU. 
The ALU extension register, which is cleared, is fed back to the 
ALU extension to provide the most significant zeros corresponding 
to the upper part of D (which is only 12 bits). At the end of 
this cycle, the ALU extension register contains the four MSBs of 
the 20-bit Base Register plus any carry from the displacement 


I 

I 

I 

I 

I 

I 

I 

I 


T 

* 

T 

4 

T 

4 

I 

I 

I 

l 

I 


addition. The second addition is like the first except the interim 
sum (20 bits) is added to the 20-bit X register value. The full 
20-bit EA is loaded into either the PC or the SAR according to the 
instruction being executed. 

The next problem is getting the MSB portion of the general registers 
into the SPM extension. Since the general registers are loaded in 
a double precision manner (first the lower half then the upper halt) 
the extended SPM must be loaded when the upper half of the register 
is loaded. Thus special manipulation of the most significant bits 
of the SPM address is used to load when an upper half general 
register is being loaded and read at all other times. 

The overall operation has been described above. Table 3-1 con- 
tains the control equations for the block shown in Figure 3-17. 

For definition of some of the signals make reference to the micro- 
program control word. For example: S 1 is the first bit of the 

SPM field, and R 2 is the second bit of the REGISTER field. 


3-34 



Table 3-2. CONTROL EQUATIONS 


Block Control 

A Read 5T * 57 

Write 5T * 57 ' SPM write 
B Read SI * 1 

Write SI ‘ 57 * SPM Write 
C Output * MAR if MUXA - MAR (A1 * A7 * A3) 

Output « SPM if MUXA = SPM (A1 ’ JZ ’ T&) 

Else Output - 0 

D Output = SPM if MUXB = SPM (A5 * A6 * TJ) 

Output * F if ALU = A-B {JS * A9 * AlO) 

Else Output = 0 

E Output Enable MAM = MAR or MAM = ALU or MAM = PC (Rl ‘ Rl) 
Output * XMAR if MAM = MAR (Rl ' R2 * R3 *■ R4) 

XALU if MAM = ALU (Rl " R7 ’ R? ‘ M) 

XPC if MAX = PC (Rl • R2 • Rl * R4) 

F Load = R5 ‘ CKZ (No reset) 

G Output = MQR Bits 12-15 if MQR to PC EXT (M7 * M8 ‘ M9 * M10) 

H Output = 0 if MAM = PC10 (M5 + M6 = 1) 

Else = PC EXT 
I Load = Load PC 

J Output = PC EXT if MQR = PSW (Rll * R12 * RT3') and 
MAM = PCIO (M5 + M6 * 1) 

K Load * CPSAR Load Clock 

Reset = POR 
L Same as A MUX 


3-35 



